Simple & easy way to jail users

ssh users chroot

74,242

Solution 1

Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the Jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories.

Download & Install:

http://olivier.sessink.nl/jailkit/index.html#download

VERSION=2.20 # from November 2018
cd /tmp
wget https://olivier.sessink.nl/jailkit/jailkit-$VERSION.tar.gz
tar -zxvf jailkit-$VERSION.tar.gz
cd jailkit-$VERSION/
./configure
make
su -
make install

Setting up the jail

Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:

mkdir /home/jail
chown root:root /home/jail

jk_init can be used to quickly create a jail with several files or directories needed for a specific task or profile, (click on it & read full detail ).

jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh

Add a user

Add a new user with a home directory and bash shell, and set the password:

useradd -d /home/jailtest -m jailtest -s /bin/bash
passwd jailtest

Now it’s time to jail this user

use the following command:

jk_jailuser -m -j /home/jail jailtest

Your /etc/passwd should contain something like this now:

jailtest:x:1001:1001::/home/jail/./home/jailtest:/usr/sbin/jk_chrootsh

Enable bash

By using jk_cp the bash libraries are copied to the jail:

jk_cp -v -f /home/jail /bin/bash

Edit `/home/jail/etc/passwd`

replace this line:

jailtest:x:1001:1001::test:/usr/sbin/jk_lsh

with this:

jailtest:x:1001:1001::/home/jailtest:/bin/bash

Maintenance

By using jk_update updates on the real system can be updated in the jail.

A dry-run will show what’s going on:

jk_update -j /home/jail -d

Without the -d argument the real update is performed. More maintenance operations can be found here.

(In case /home/jail/opt is missing, create it with mkdir -p /home/jail/opt/ And run jk_update -j /home/jail again)

Give access to other directories

You can mount special folders, that the jail user may acces now. E.g.:

mount --bind /media/$USER/Data/ /home/jail/home/jailtest/test/

Help Taken

http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html

http://olivier.sessink.nl/jailkit/index.html#intro ( a very good help )

This one also

This is been checked & verified , Working Properly

Solution 2

You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc

IMO the easiest method of securing users is to use apparmor.

You make a hard link

ln /bin/bash /usr/local/bin/jailbash

You add jailbash to /etc/shells

You then assign jailbash to the users shell, and then write an apparmor profile for jailbash allowing minimal access.

sudo chsh -s /usr/local/bin/jailbash user_to_confine

You will have to write an apparmor profile yourself, but I have a profile you could potentially start with

http://bodhizazen.com/aa-profiles/bodhizazen/ubuntu-10.04/usr.local.bin.jailbash

Solution 3

It's difficult to guess what purpose you might want to accomplish. If it is to deny ssh/sftp while providing jailed access via FTP... easy:

Add to /etc/shells a new shell:

sudo -e /etc/shells

Add one line:

/bin/false

Save. For each user you want to deny ssh/sftp, change the user's shell:

sudo chsh -s /bin/false userx

Now userx cannot log in via ssh/sftp.

Install vsftpd:

sudo apt-get install vsftpd

Edit the config file:

sudo -e /etc/vsftpd.conf

And some changes....

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES

Save. Restart vsftpd:

sudo /etc/init.d/vsftpd restart

74,242

One Zero

Updated on September 18, 2022

Comments

One Zero almost 2 years

I need a simple and easy way to jail users in their home directories in Oneiric. Do you have a simple configuration for jailing users, with full help, or some good web links?

I would be offering an online free public server with 10 to 20 GB free space. I don't know how many users. I want to give them SSH and SFTP so that they can connect through FileZilla.
- One Zero over 12 years
  
  2nd update if users are not locked in home directories
- Ali over 12 years
  
  then I believe you 1-as mentioned by @Marco you want to try ChrootDirectory for SSH 2- you may want to go beyond the standard ways of doing things as you need to scale this to handle "a lot" of storage, ... 3- Is SSH your best choice? do people need SSH on your service? 4- Good luck
- One Zero over 12 years
  
  i have other plan as well .... for normal users we would be offering only SFTP with MY SECURE SHELL , that's very easy 2 handle
- Admin about 10 years
  
  How can I remove this jail e.g.(home/jail)?<br> And when I add some jail section e.g. jk_init -v -f /home/jail netutils, how will I remove this?
Panther over 12 years

Just be very careful with rbash, it is very easy to break out of and sort of considered outdated. See blog.bodhizazen.net/linux/how-to-restrict-access-with-rbash
Karlson over 12 years

@bodhi.zazen You mean rbash?
Panther over 12 years

yes, sorry I fixed that. There was a blog several years ago where someone broke our of a rbash jail I set up, and I though it was tight, minimal jail. Took them less then 5 minutes. Not had anyone break out of jailbash.
Dom over 12 years

You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc There is nothing stopping you from linking/copying files you feel they need.
Panther over 12 years

Yes you "can" do as user606723 suggests, but it is not so easy, and IMO of all the potential solutions the least practical or easy. Might as well build a chroot or use lxc. You copy a binary, then the libs. Often you will manually need to identify libs with ldd. This method takes a ton of work to set up. And then you have to keep the jail up to date, you will have to manually update (copy) the binaries / libs. Links might work better in terms of updates, but you still need to set them all up. Somehow I do not think this is what the OP had in mind. How then to keep them confined ?
Dom over 12 years

I think the whole point of the question was to point out tools to automate this process... like jailkit, a tool the OP mentions.
One Zero over 12 years

well i m want to give them ssh + sftp (connect through filezilla)
One Zero over 12 years

can u plz tell me how do i configure it ....jailbash
One Zero over 12 years

@bodhi.zazen . what u think about about this .. debootstrap (oneiric) then make a container using lxc . using jail kit > user to container > . what i did so far is i have debbootstrap oneiric minimum then used jailkit >working fine
Panther over 12 years

you can use LXC for this task, beware that isolation is sometimes incomplete with LXC. As long as users do not have root access in the container you should be OK and you may want to subscribe to the LXC mailing list.
One Zero over 12 years

@bodhi.zazen. the thing i was thinking is that ...how users go straight to lxc containers ... is the same config i m using with debootstrap ?
Panther over 12 years

lxc is somewhat similar to a chroot (debootstrap), but it is a bit more complex. Some people use scripts to set up lxc.
One Zero over 12 years

i did with jailkit , debootstrap ....i did it with lxc containers ...i have tested all things ....i just need a way to lock user's in there home directories
Dmitry Koroliov about 11 years

Thank you so much. I have tried all three top-voted answers and your one is the easiest. Actually it is the only one which worked for me.
Panther about 11 years

@caligula - you are most welcome
hookenz over 10 years

This doesn't work on Ubuntu 13.10. When you try to finally login you get the welcome message immediately followed by connection closed.
c4f4t0r over 10 years

yes, man bash helps, using bash restrited shell capabilities is more simply
ONOZ about 10 years

Matt H: Make sure to follow the last two steps; copying the bash binaries and editing the /home/jail/etc/passwd file.
Attila Fulop over 9 years

I also had the connection closed issue immediately after the welcome message. I changed the login shell within the chroot passwd file from jk_lsh to bash as read here linuxquestions.org/questions/linux-software-2/… It is not a solution but a workaround!
PJunior almost 9 years

Tnks for your answer. Unfortunately I wasn't able to configure it correctly so the user could connect via sftp. :( Sep 23 05:39:31 nsXXXXXX jk_chrootsh[2701]: now entering jail /home/jail for user usersftp (1001) with arguments -c /usr/lib/openssh/sftp-server Sep 23 05:39:31 nsXXXXXX sshd[2700]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user
alper about 6 years

It seems that the solution does not work anymore on latest ubuntu version: I have done sudo su - testuser but nothing happens. What should I do? And sudo -su testuser opens at under jail user directory but I can still see others' directory. @MariusMatutiae
rubo77 over 5 years

I edited the anwser: enhance formatting, updated Version to 2.20 and create a variable for it; added su - at the right position and renamed testuser to jailtest, to avoid attacks and collitions with other testusers – this works fine on my Ubuntu 18.10
rubo77 over 5 years

But it doesn't seem to work on Debian (tested on wheezy and stretch). Here ist the -vvv ssh log: pastebin.com/Mwbsz4Wq